Hi list,
I have installed squid 2.6 as transparent. Then I installed shorewall-common
4.0.3 on the same machine in order to load balance two connections, but at no
avail.
I have attached shorewall dump as well as my config files for shorewall. Plz
guide me what to do. Note that I took all help from
http://www.shorewall.net/MultiISP.html but that didn''t work, so I had
to modify my configs as well in order for the error msgs to disappear.
Finally all the errors disappeared but my clients cannot access any of the DSL
connection I have. Plz advise...
--
Thanks and regards,
Javed
____________________________________________________________________________________
Shape Yahoo! in your own image. Join our Network Research Panel today!
http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
Javed wrote:> Hi list, > > I have installed squid 2.6 as transparent. Then I installed shorewall-common 4.0.3 on the same machine in order to load balance two connections, but at no avail. > > I have attached shorewall dump as well as my config files for shorewall. Plz guide me what to do. Note that I took all help from http://www.shorewall.net/MultiISP.html but that didn''t work, so I had to modify my configs as well in order for the error msgs to disappear. > > Finally all the errors disappeared but my clients cannot access any of the DSL connection I have. Plz advise...For what it''s worth, i suggest that net2loc and net2fw policies are a bad idea. You don''t need them for your proxy server to work - i suggest setting them to DROP, and also adding an all2all DROP policy. When i ran a multi ISP setup, i needed this rule in tcrules: # This stops tcrules from overriding settings in providers CONTINUE:P - - - - - - !0 It may not be required any more. When Tom gets up he will be able to tell you for sure. I''m not an expert at reading dumps, but otherwise your config looks pretty straightforward and OK. What were the errors you were getting, and what did you change to fix them? And what exactly doesn''t work? In your dump, the redirect rule for squid has not even be accessed, meaning there has been no proxy traffic to redirect. Also, have you read the following? http://www.shorewall.net/Shorewall_Squid_Usage.html http://www.shorewall.net/FAQ.htm#faq57 http://www.shorewall.net/FAQ.htm#faq58 -- Paul <http://paul.gear.dyndns.org> -- Did you know? Using accepted quoting conventions makes your email easier to understand. Learn how at <http://www.netmeister.org/news/learn2quote.html>. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Javed wrote:> Hi list, > > I have installed squid 2.6 as transparent. Then I installed shorewall-common 4.0.3 on the same machine in order to load balance two connections, but at no avail. > > I have attached shorewall dump as well as my config files for shorewall. Plz guide me what to do. Note that I took all help from http://www.shorewall.net/MultiISP.html but that didn''t work, so I had to modify my configs as well in order for the error msgs to disappear. > > Finally all the errors disappeared but my clients cannot access any of the DSL connection I have. Plz advise...From the dump: 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0a:5e:22:85:9a brd ff:ff:ff:ff:ff:ff inet 192.168.1.200/24 brd 192.168.1.255 scope global eth1 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:16:76:6f:25:c2 brd ff:ff:ff:ff:ff:ff inet 192.168.2.200/24 brd 192.168.2.255 scope global eth2 You have the ADDRESSes reversed in your /etc/shorewall/masq: eth1 eth0 192.168.2.200 <== This is eth2''s IP eth2 eth0 192.168.1.200 <== This is eth1''s IP -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Hello Tom!
After i start test work of my new Shorewall firewall with enabled tc
shaping i found that rules in 'tcrules' file must have definite order.
When i have follow sequence of rules:
31:F $EXT_IF $INT1_IF:192.168.5.0/24 all
32:F $EXT_IF $INT1_IF:192.168.5.45 all
and my IP - 192.168.5.45, then my packets have MARK 31.
But when i change order of these rules:
32:F $EXT_IF $INT1_IF:192.168.5.45 all
31:F $EXT_IF $INT1_IF:192.168.5.0/24 all
i get what i want - my packets have MARK - 32.
I think that it fact must be reflected in documentation with BOLD font.
Sorry if i not found it.
Thank you,
Alex
------
Астрологический Гуру Беларуси - приглашаем на
http://www.astroguru.psyhotron.by/. Профессор Константин Владимирович
СЕЛЬЧЕНОК - тел.752-66-17 с 09-00 до 21-00
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
On 10/5/07, alex <alshu@tut.by> wrote:> Hello Tom! > After i start test work of my new Shorewall firewall with enabled tc > shaping i found that rules in ''tcrules'' file must have definite order. > When i have follow sequence of rules: > > 31:F $EXT_IF $INT1_IF:192.168.5.0/24 all > 32:F $EXT_IF $INT1_IF:192.168.5.45 all > > and my IP - 192.168.5.45, then my packets have MARK 31. > But when i change order of these rules: > > 32:F $EXT_IF $INT1_IF:192.168.5.45 all > 31:F $EXT_IF $INT1_IF:192.168.5.0/24 all > > i get what i want - my packets have MARK - 32. > I think that it fact must be reflected in documentation with BOLD font. > Sorry if i not found it.IMHO this should be obvious, and I think happens not only in the tc files, but pretty much with any firewall rules. Your 31:F rule acts on a whole subnet, and the ip of the 32:F rule is part of that subnet. So of course the 32:F rule will never be reached, because the 31:F rule will always match. ~David ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
alex wrote:> Hello Tom!Alex, PLEASE don''t hijack another thread by replying and changing the subject! Start your own thread.> > I think that it fact must be reflected in documentation with BOLD font. > Sorry if i not found it. >Near the beginning of the output of "man shorewall-tcrules": *Important* Unlike rules in the shorewall-rules(5) file, evaluation of rules in this file will continue after a match. So the final mark for each packet will be the one assigned by the LAST tcrule that matches. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/